rpms / grub2

Clone
Source Code
GIT

Blame SOURCES/0467-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-i686 c8 c8-beta c8s c9 c9-beta
  1.   4123e7761b14b70dd27eb8a66e0789e6d7b6b3c8
  2.   SOURCES
  3.   0467-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch
Blob History Raw
d18179 
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
d18179 
From: Daniel Axtens <dja@axtens.net>
d18179 
Date: Wed, 7 Jul 2021 15:38:19 +1000
d18179 
Subject: [PATCH] video/readers/jpeg: Block int underflow -> wild pointer write
d18179
d18179 
Certain 1 px wide images caused a wild pointer write in
d18179 
grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(),
d18179 
we have the following loop:
d18179
d18179 
for (; data->r1 < nr1 && (!data->dri || rst);
d18179 
     data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
d18179
d18179 
We did not check if vb * width >= hb * nc1.
d18179
d18179 
On a 64-bit platform, if that turns out to be negative, it will underflow,
d18179 
be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so
d18179 
we see data->bitmap_ptr jump, e.g.:
d18179
d18179 
0x6180_0000_0480 to
d18179 
0x6181_0000_0498
d18179 
     ^
d18179 
     ~--- carry has occurred and this pointer is now far away from
d18179 
          any object.
d18179
d18179 
On a 32-bit platform, it will decrement the pointer, creating a pointer
d18179 
that won't crash but will overwrite random data.
d18179
d18179 
Catch the underflow and error out.
d18179
d18179 
Fixes: CVE-2021-3697
d18179
d18179 
Signed-off-by: Daniel Axtens <dja@axtens.net>
d18179 
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
d18179 
(cherry picked from commit 41aeb2004db9924fecd9f2dd64bc2a5a5594a4b5)
d18179 
(cherry picked from commit 5f9582490792108306d047379fed2371bee286f8)
d18179 
(cherry picked from commit 7e4bf25d9bb5219fbf11c523296dc3bd78b80698)
d18179 
(cherry picked from commit a062059a004c9b3c7409ea29e721a08f64d7413b)
d18179 
---
d18179 
 grub-core/video/readers/jpeg.c | 4 ++++
d18179 
 1 file changed, 4 insertions(+)
d18179
d18179 
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
d18179 
index 5e46a55710..572250ae68 100644
d18179 
--- a/grub-core/video/readers/jpeg.c
d18179 
+++ b/grub-core/video/readers/jpeg.c
d18179 
@@ -705,6 +705,10 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
d18179 
     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
d18179 
 		       "jpeg: attempted to decode data before start of stream");
d18179
d18179 
+  if (vb * data->image_width <= hb * nc1)
d18179 
+    return grub_error (GRUB_ERR_BAD_FILE_TYPE,
d18179 
+		       "jpeg: cannot decode image with these dimensions");
d18179 
+
d18179 
   for (; data->r1 < nr1 && (!data->dri || rst);
d18179 
        data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
d18179 
     for (c1 = 0;  c1 < nc1 && (!data->dri || rst);

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation